https://community.splunk.com/t5/Getting-Data-In/Why-does-Linux-Auditd-App-filter-out-root-for-the-user-lookup/m-p/531796#M89451 <P>The root user is the only truly universal user on any Linux machine so it's not in the learnt identities but the static identities lookup (<A href="https://github.com/doksu/splunk_auditd/blob/master/TA-linux_auditd/lookups/posix_identities.csv" target="_blank">https://github.com/doksu/splunk_auditd/blob/master/TA-linux_auditd/lookups/posix_identities.csv</A>), and they get merged together automatically. Best check your static identities lookup to ensure it has root in it.</P> Thu, 03 Dec 2020 03:29:31 GMT doksu 2020-12-03T03:29:31Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Linux-Auditd-App-filter-out-root-for-the-user-lookup/m-p/531733#M89438 <P>Hello,</P><P data-unlink="true">I have been using the Linux Auditd app, which has been great, but I noticed that the&nbsp;learnt_posix_identities&nbsp; lookup filters out the root user.</P><P>&nbsp;</P><LI-CODE lang="javascript">[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type="USER_START" acct=* NOT acct=root NOT auid=0 terminal=/dev/tty* OR NOT addr=? | dedup auid | table auid acct | rename auid as _key | rename acct as user | outputlookup append=true learnt_posix_identities</LI-CODE><P>&nbsp;</P><P>A lot of my syscalls are coming from root and the dashboards display unknown user. I could just manually edit the KV Store to add root, however I wanted to understand why this filter was here to make sure I don't break something.</P><P>Regards,</P><P>Dave</P> Wed, 02 Dec 2020 16:17:36 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Linux-Auditd-App-filter-out-root-for-the-user-lookup/m-p/531733#M89438 dconnett_splunk 2020-12-02T16:17:36Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Linux-Auditd-App-filter-out-root-for-the-user-lookup/m-p/531796#M89451 <P>The root user is the only truly universal user on any Linux machine so it's not in the learnt identities but the static identities lookup (<A href="https://github.com/doksu/splunk_auditd/blob/master/TA-linux_auditd/lookups/posix_identities.csv" target="_blank">https://github.com/doksu/splunk_auditd/blob/master/TA-linux_auditd/lookups/posix_identities.csv</A>), and they get merged together automatically. Best check your static identities lookup to ensure it has root in it.</P> Thu, 03 Dec 2020 03:29:31 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Linux-Auditd-App-filter-out-root-for-the-user-lookup/m-p/531796#M89451 doksu 2020-12-03T03:29:31Z